I am working on a hosted CMS, and am thinking about allow site editors to add custom javascript and html (a much requested feature).
I am concerned that this will open up an attack vector - nasty js could make calls to the functions that our hosted CMS exposes (see the Samy worm for an example of what user scripts did to myspace), but I really want to give users control over their site (what's the point of a CMS you can't add your own clever stuff to?)
What is a good approach to fixing this issue? I can think of several which I would like commentary on, but am not going to list them for fear of the 'no list questions mods'!
I suspect that Caja is on your list, so I'll mention that this is squarely in Caja's use cases; for example, Google Sites is very like a CMS and uses Caja to embed arbitrary JS and HTML.
Caja host pages can provide arbitrary additional interfaces for use by the sandboxed content, which can include, for example, embedding widgets provided by your CMS inside the user-supplied HTML while maintaining encapsulation.
(Disclosure: I work for Google on the Caja team.)
Related
I am an ASP.NET MVC / WebForms developer by trade, so all of the websites/apps I have created in the past allowed me to use Master/Layout pages for the look/feel of all my site, while allowing me to change just the parts specific to that page.
Now, I am doing some freebie web work for a friend and I want to write it in HTML, CSS, and JavaScript using Aptana 3 so that it can be hosted wherever. Master pages are not an option for me since I am no longer in the ASP.NET/Visual Studio world, so I am looking at Server Side Includes to accomplish this. My question:
Is this a good use of SSI? I am seeing conflicting forum posts, where some say that they should be used for small pieces of the page (like a specific piece of text, time, etc). I want it to generate a large portion of my page, things like the footer, footer links, menus, banner image, etc. Basically, I want to use SSI for most of the page, and then just plug in the pieces specific to the page. Have others done this in the past with success?
If the purpose behind you choice is so that it can be hosted anywhere, then even using SSI may be restrictive since it relies on that functionality being enabled on a server.
Having said that, it is a valid option, but personally I would familiarise yourself with both the options in PHP and .NET so that you are comfortable in adapting your code to both. You are rarely going to be asked to move a site hosted on one framework to another, and if you are then you can factor changing the code into your costs.
We need to incorporate coldfusion pages into a DotNetNuke site. Example, a login page, consisting of a simple login form. OnSubmit, a coldfusion cfc webservice is called to check the credentials, returning a success flag. I am brand new to DotNetNuke and don't even know if this can be accomplished. Googling reveals next to nothing, which probably isn't a good sign. If anyone can provide a real simple example of how to do this, I would be extremely grateful.
The easiest way to do this would be to use the IFrame module in DotNetNuke, if you don't have the IFrame module available check out the Host/Extensions page, and click on the Available Extensions option.
Your cold fusion pages will have to reside somewhere else, but within the IFrame they can be loaded into a DotNetNuke website.
Long term you would likely be served best by rewriting that functionality inside of a DotNetNuke module, or finding a module that provides the same functionality.
I'm developing a web application. It's months away from completion but I would like to build a landing page to show to potential customers to explain things and gauge their interest--basically collecting their email address and if they feel like it additional information like names + addresses.
Because I'm already using Django to build my site I thought I might use another Django App to serve as this landing page. The features I need are
to display a fairly static page and potentially a series of pages,
collect emails (and additional customer data)
track their actions--e.g., they got through the first two pages but didnt fill out the final page.
Is there any pre-existing Django app that provides any of these features?
If there is not a Django app, then does anyone know of another, faster/better way than building my own app? Perhaps a pre-existing web service that you can skin and make look like your own? Maybe there's the perfect system but it's PHP?--I'm open for whatever.
Option 1: Google Sites
You can set it up very very quickly. Though your monitoring wouldn't be as detailed as you're asking for.. Still, easy and fasssst!
Option 2: bbclone
Something else that may be helpful is to set up some PHP based site (wordpress or something) and use bbclone for tracking stuff on it. I've found bbclone to be pretty intense with the reporting what everyone does - though it's been a while since I used it.
Option 3: Django Flatpages
The flatpages Django contrib app is pretty handy for making static flat pages. I'd probably just embed a Google Docs Form to collect email addresses (as that's super fast and lets you get back to real work). But this suggestion would still leave you needing to figure out how to get the level of detail you want on the stats end.
Perhaps consider Google Analytics anyway?
Regardless, I suggest you use Google Analytics with everything. That'll work with anything you do really, and for all I know, perhaps you can find a way to get the stats you're really looking for out of it.
I haven't been using Django too long, but I'm about to start a pretty hefty-sized project. I'm always nervous using fairly new frameworks (new to me) on large projects because I've been burned before. However, I'm pretty confident in Django...this will finally be the project that makes me leap from my home-grown PHP framework to a popular Python framework. (yay!)
Anyway, my question is whether or not the built-in Django admin is robust enough to use for a fully-fledged customer-facing interface (the clients will be using it themselves, not me). I see that it's pretty customizable, but I'm wondering if extensible enough to handle various non-standard cases. I don't have any concrete examples yet since I haven't started yet.
Has anyone used the Django admin for some pretty customized interfaces that non-programmer users use? Was it worth it? Would you rather have just created a home-grown admin interface specifically for the site?
Just to clarify, the users would be completely non-techy.
If I understand it correctly, you want to use the django admin for all users, to let them update the site.
If this is true, I think you may be using it in a different way from what was its main purpose, as you can get from the Django book (emphasis is mine):
For a certain class of Web sites, an
admin interface is an essential part
of the infrastructure. This is a
Web-based interface, limited to
trusted site administrators, that
enables the adding, editing and
deletion of site content.
If your users need to update content (like, let's say, adding a new article) then it may be OK.
But if you want to use it for any site interaction, then I think the user experience will not be as good.
I think a very nice example of how the admin can be used, and when it should not be used is in ReviewBoard: there, most of user actions are handled directly by the site, and only the configuration and management are then handled using the admin.
In the end, it is a matter of usability. If you think that it is OK for your application to have a different section to manage addition to the site, then Django's admin site may be a real time saver. In all other cases, maybe it is better to invest some time more.
My company has built a CMS on top of Django that handles numerous tasks (flat pages, blogs, members-only sections, importing and parsing data from external sites like youtube and flickr, mailing lists, albums songs and lyrics for artists, etc.) and so far we're still using the built-in admin. We have several very non-technical clients using it regularly.
You can go pretty far in customizing it with the admin.py files when you really get into it. The only things we've added are tinyMCE and Filebrowser to make those aspects easier for the end users.
I will say that we are working on a gallery module that is going to need a custom admin, though. Otherwise I've been pretty happy and impressed with how flexible and powerful Django's admin can be. And it's as user-friendly as you can think to make it.
It depends. The admin will let you customize quite a bit, with different groups of users having access to different tables, and if you give them access to different admin interfaces, you can even give them different sets of columns available on the tables. However, the admin isn't really set up to let you restrict users' row level access based on their authorization level. Once you've let them into a table, they can make changes to any object available to them.
You can customize widgets however you like by subclassing widget types (though the built-in filter_horizontal and raw_id_admin are indispensable and make this task simple for certain data types!)
So I guess it depends on what you mean by customers. If you mean the people who hired you to write the website (I think I'd call them clients rather than customers), then there's a good chance the admin will suit you just fine. If you mean the end users of a website, I would stick with hand-crafted django forms.
In general I view the Django admin as an interface to performing the tedious tasks of insert delete and editing. So, I'm not afraid of customizing it to a large extent (even if this means subclassing internal Django objects and passing them back to the admin interface at runtime), but be aware it will require you to read Django source (which fortunately isn't very hard to do).
So for me, the discriminator of using it or not is "insert, delete, update" of concepts that map very well to the database tables, not amount of user technical knowledge, amount I trust the users, or project size.
I'm looking at setting up a small company that hosts flash-based websites for artist portfolios. The customer control panel would be django-powered, and would provide the interface for uploading their images, managing galleries, selling prints, etc.
Seeing as the majority of traffic to the hosted sites would end up at their top level domain, this would result in only static media hits (the HTML page with the embedded flash movie), I could set up lighttpd or nginx to handle those requests, and pass the django stuff back to apache/mod_whatever.
Seems as if I could set this all up on one box, with the django sites framework keeping each site's admin separate.
I'm not much of a server admin. Are there any gotchas I'm not seeing?
Maybe. I don't think the built-in admin interface is really designed to corral admins into their own sites. The sites framework is more suited to publish the same content on multiple sites, not to constrain users to one site or another. You'd be better off writing your own admin interface that enforces those separations.
As far as serving content goes, it seems like you could serve up a common (static) Flash file that uses a dynamic XML file to fill in content. If you use Django to generate the XML, that would give you the dynamic content you need.
This django snippet might be what you need to keep them seperate:
http://www.djangosnippets.org/snippets/1054/
"A very simple multiple user blog model with an admin interface configured to only allow people to edit or delete entries that they have created themselves, unless they are a super user."
Depending on the amount of sites you're going to host it might be easier to write a single Django app once, with admin, and to create a separate Django project for each new site. This is simple, it works for sure AND as an added bonus you can add features to newer sites without running the risk of causing problems in older sites.
Then again, it might be handier to customize the admin such that you limit the amount of objects users can see to those on the given site itself. This is fairly easy to do, allthough you might want to use RequestSite instead of the usual Site from the sites framework as that requires separate settings for each site.
There exists this one method in the ModelAdmin which you can override to have manual control over the objects being edited.